Session Hijacking Vulnerability in Charging Station Software by Mobiliti
CVE-2026-27764

6.9MEDIUM

Key Information:

Vendor: Mobiliti
Status: E-mobi.hu
Vendor: CVE Published:; 6 March 2026

What is CVE-2026-27764?

The WebSocket backend in Mobiliti's charging station software exposes a significant vulnerability due to the use of charging station identifiers for session management. This flawed implementation permits multiple endpoints to utilize the same session identifier, which in turn creates predictable session identifiers. Consequently, this may allow attackers to hijack legitimate sessions, thus enabling unauthorized users to interact with backend commands intended for a specific charging station. Moreover, malicious entities might exploit this weakness to initiate a denial-of-service condition by bombarding the backend with valid session requests, leading to interruptions in normal service.

Affected Version(s)

e-mobi.hu All versions

References

https://mobiliti.hu/emobilitas/ugyfeltamogatas/ugyfelszol...

https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

https://github.com/cisagov/CSAF/blob/develop/csaf_files/O...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 6, 2026
Vulnerability Reserved
Feb 24, 2026

Credit

Khaled Sarieddine and Mohammad Ali Sayed reported this vulnerability to CISA.

CVE-2026-27764 Data

JSON